Mobile manufacturers and mobile operators generally leave mobile operating systems unpatched after selling it to the end user, or at best provides patching of security vulnerabilities way too late.

The Stagefright vulnerability shows how severe this situation has become, with nearly 1 billion Android devices still vulnerable a year after the potentially remotely exploitable weakness was documented. Through exploiting vulnerabilities in Stagefright attackers can gain complete remote control (root access) of the mobile device by simply sending a media file to the victim.  The user doesn’t even need to open the message. It infects automatically when a preview is generated, and can be instrumented to delete itself after installation.

“An attacker in possession of their target’s phone number could send an MMS or even a Google Hangouts message to an affected device that triggers the vulnerability before the victim has a chance to open the message.”

Ref: https://threatpost.com/android-stagefright-flaws-put-950-million-devices-at-risk/113960/

Since little or nothing has improved in terms of supporting the mobile users with security patching. with such a possible nightmare scenario, the US government has now started activities to investigate why the market does not even function in terms of even basic mobile security practices.

“The glowing lack of public, real-world Stagefright exploits didn’t stop the U.S. government from using last summer’s blockbuster Android vulnerability as an illustration of the dangers facing mobile device users.

Under the context of Stagefright exposing up to 1 billion devices to attack, the Federal Trade Commission and the Federal Communications Commission yesterday said they are collaborating on an investigation into the security update practices of the leading carriers. The two agencies sent letters to leading device makers and carriers, including AT&T, Verizon, T-Mobile, Sprint, US Cellular, and Tracfone, as well as Apple, Google, Samsung, BlackBerry, HTC America, and Microsoft.

The letters give the respective vendors 45 days to report on how they communicate information about vulnerabilities, develop and test security updates and deploy them to devices.”

Ref: https://threatpost.com/fcc-ftc-investigate-mobile-security-update-practices/117972/

History tells us that the root cause of such structural security problems lies in the economics of security. These can be describedas Gordian knots, which seldom are fixed by the market.  Too often we see the existence of misaligned incentives between stakeholders which are the main factors behind market imperfections in the security market. Simple questions like “who is responsible and takes the effort for patching, testing and distribution”, “who takes the costs”, and “who get the compensation and advantages?” These issues have to be resolved with a good business model, uniting various stakeholders on the same security objectives.  Until regulatory authorities enforce patching responsibility and implement consequences for noncompliance, together with a good business model , we will most likely live with systematically unpatched mobile devices forever.

Moreover, history tells us that such an ‘attractive’ attack opportunity, which is small in terms of attack costs, and can be combined with extremely high scalability and easy penetration into banking accounts and payment transactions will not be ignored by cyber-criminals. Ref our blog on Overlay malware.

It is a very  high probability that criminals sooner or later will exploit Stagefright vulnerabilities combined with massive scaling mechanisms for large-scale attacks against financial transactions originated in mobile banking and payment applications.  An example would be the  Metaphor malware from March 2016, which can exploit Stagefright and potentially take over approximately 275 million Android devicessimply by presenting a picture to the user on a booby-trapped website.

Ref: http://arstechnica.com/security/2016/03/275-million-android-phones-imperiled-by-new-code-execution-exploit/

This is the reason that the  Protectoria Secure Mobile Platform – PSMP – is based on a security strategy that don’t trust any mobile operating systems.

The PSMP creates its own patent pending trusted and secure running environment within the application layer of the mobile device. The server component of PSMP has complete server side control of this environment, with the objective of protecting transactions transparently within a single mobile user experience, compliant with the Strong Authentication requirement of PSD2.

The PSMP server can through its entropy model dynamically, unpredictably and continuously execute security patching of the personalized running code of the PSMP secure mobile client. This keeps both financial transactions and users of self-serviced apps safe, even under the most extreme risk scenarios.